What should a solutions architect do to protect the application?
Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address.
Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.
Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
Explanations:
Network ACLs are associated with VPCs, not directly with CloudFront distributions. CloudFront does not have network ACLs; it uses AWS WAF for request filtering. Therefore, modifying the network ACL for CloudFront will not block the malicious IP.
AWS WAF is specifically designed to filter web traffic and can block requests based on IP addresses. By adding an IP match condition to the WAF, the malicious IP can be effectively blocked from accessing the application.
Modifying network ACLs for EC2 instances would not be effective since the traffic is first routed through the ALB and then to the instances. The network ACLs are evaluated before traffic reaches the ALB, and blocking at this level may not prevent requests from the CloudFront distribution.
Security groups operate at the instance level and do not support explicit deny rules. They are stateful and primarily used for allowing traffic. Since the malicious traffic would already reach the ALB, modifying security groups for the EC2 instances would not block the malicious IP effectively.
I estimate that the answer is:
Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.